{"id":265,"date":"2024-03-21T19:41:26","date_gmt":"2024-03-21T19:41:26","guid":{"rendered":"https:\/\/www.ogselfhosting.com\/?p=265"},"modified":"2024-12-31T17:44:09","modified_gmt":"2024-12-31T17:44:09","slug":"enabling-2fa-for-cockpit","status":"publish","type":"post","link":"https:\/\/www.ogselfhosting.com\/index.php\/2024\/03\/21\/enabling-2fa-for-cockpit\/","title":{"rendered":"Enabling 2FA for Cockpit"},"content":{"rendered":"\n<p>TL;DR &#8211; here&#8217;s a video that explains briefly what cockpit is, and then goes though how it can be installed, and more importantly how 2FA can be enabled to make access more secure than the out-of-the-box default of username\/password.  I also go over where to find other plugin applications that can help make Cockpit even more useful.  Enjoy!<\/p>\n\n\n\n<p>[Update &#8211; video now in MP4 format &#8211; thanks to @tuhgy@sharkey.world for pointing this out]<\/p>\n\n\n\n<figure class=\"wp-block-video\"><video height=\"1080\" style=\"aspect-ratio: 1920 \/ 1080;\" width=\"1920\" controls src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/cockpit-deb.mp4\"><\/video><\/figure>\n\n\n\n<p>Cockpit is an open source project sponsored by Red Hat to provide a simple GUI management portal that aids linux server management. Installation is a breeze (&#8216;sudo apt install cockpit &amp;&amp; sudo systemctl enable &#8211;now cockpit).  This gets you a portal that can be accessed simply by navigating your browser to https:\/\/server-ip:9090.  You login with your linux credentials and basically you get an interface you can use for managing and inspecting some basic services.  Here&#8217;s the overview screen for one of my actual linux servers:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1897\" height=\"915\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02.png\" alt=\"\" class=\"wp-image-266\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02.png 1897w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02-300x145.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02-768x370.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02-1536x741.png 1536w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-31-02-1200x579.png 1200w\" sizes=\"auto, (max-width: 1897px) 100vw, 1897px\" \/><\/figure>\n\n\n\n<p>Cockpit comes pre-installed with several plugin &#8216;apps&#8217; that expand and shape the functionality of the portal.  You can add more plugins to make it even more useful (see my video) &#8211; e.g. for zfs service management:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1917\" height=\"918\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06.png\" alt=\"\" class=\"wp-image-267\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06.png 1917w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06-300x144.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06-768x368.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06-1536x736.png 1536w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-33-06-1200x575.png 1200w\" sizes=\"auto, (max-width: 1917px) 100vw, 1917px\" \/><\/figure>\n\n\n\n<p>You can even create virtual machines in cockpit that can be further viewed and configured with virt-manager.  I showcase this in my video as I use cockpit on my real server to&#8230;create a virtual machine&#8230;in which I install and create a cockpit service and enable 2FA in the virtualized cockpit instance (!)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"915\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19.png\" alt=\"\" class=\"wp-image-268\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19.png 1920w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19-300x143.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19-768x366.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19-1536x732.png 1536w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-19-1200x572.png 1200w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1903\" height=\"868\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51.png\" alt=\"\" class=\"wp-image-269\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51.png 1903w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51-300x137.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51-768x350.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51-1536x701.png 1536w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-35-51-1200x547.png 1200w\" sizes=\"auto, (max-width: 1903px) 100vw, 1903px\" \/><\/figure>\n\n\n\n<p>Whilst this is not as feature-rich as e.g. proxmox or xcp-ng, cockpit provides for a very capable and easy-to-use hypervisor in terms of the machines it creates.<\/p>\n\n\n\n<p>There are lots of videos and tutorials about cockpit that can inform on its capabilities.<\/p>\n\n\n\n<p>One concern I have about the basic installation for cockpit is that it gives you essentially the same access to a server as an ssh-connection without a public-private key: all it takes to login to a cockpit server is a username and a password. That&#8217;s too weak from a security perspective for server access IMHO.  To fix that, we can add two-factor authentication (2FA) to the login, requiring the use of a 6-digit code in addition to the (potentially weak) user credentials.  Here&#8217;s how you do that e.g. for a Debian\/Ubuntu server (or you can watch my view above):<\/p>\n\n\n\n<p>Login to your server, install cockpit and google&#8217;s authenticator app run the following command (as user, not root):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt update\nsudo apt install cockpit -y\nsudo apt install libpam-google-authenticator -y\ngoogle-authenticator<\/code><\/pre>\n\n\n\n<p>This updates your repositories, installs and enables cockpit, installs the authenticator app and runs it.  After the installation, you will see an image similar to this as the 2FA app fires up:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1122\" height=\"785\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-13-47-31.png\" alt=\"\" class=\"wp-image-273\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-13-47-31.png 1122w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-13-47-31-300x210.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-13-47-31-768x537.png 768w\" sizes=\"auto, (max-width: 1122px) 100vw, 1122px\" \/><\/figure>\n\n\n\n<p>Scan the QR code with your 2FA app, enter the code at the prompt and answer the questions to complete the process (answering &#8216;y&#8217; is most secure, but even answering &#8216;n&#8217; makes for a very secure 2FA setup &#8211; google-search if you want to know more).  Now we need to tell cockpit to use 2FA:  Edit the following file as root with your favorite editor, e.g nano:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo nano \/etc\/pam.d\/cockpit<\/code><\/pre>\n\n\n\n<p>Add one line at the bottom of the file thus:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>auth required pam_google_authenticator.so nullok<\/code><\/pre>\n\n\n\n<p>Save and quit, then issue the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo systemctl restart cockpit<\/code><\/pre>\n\n\n\n<p>Then login to your cockpit server, enter your linux username, password:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1239\" height=\"871\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-18-49.png\" alt=\"\" class=\"wp-image-279\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-18-49.png 1239w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-18-49-300x211.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-18-49-768x540.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-18-49-1200x844.png 1200w\" sizes=\"auto, (max-width: 1239px) 100vw, 1239px\" \/><\/figure>\n\n\n\n<p>When you attempt to login, you get a separate chhalenge for your 2FA 6-digit credential:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1266\" height=\"792\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-19-38.png\" alt=\"\" class=\"wp-image-280\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-19-38.png 1266w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-19-38-300x188.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-19-38-768x480.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-19-38-1200x751.png 1200w\" sizes=\"auto, (max-width: 1266px) 100vw, 1266px\" \/><\/figure>\n\n\n\n<p>Use your phone app to get the current 2FA code (which changes every 30 seconds), enter it and you should be logged in, e.g.:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1894\" height=\"1021\" src=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06.png\" alt=\"\" class=\"wp-image-281\" srcset=\"https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06.png 1894w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06-300x162.png 300w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06-768x414.png 768w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06-1536x828.png 1536w, https:\/\/www.ogselfhosting.com\/wp-content\/uploads\/2024\/03\/Screenshot-from-2024-03-21-09-23-06-1200x647.png 1200w\" sizes=\"auto, (max-width: 1894px) 100vw, 1894px\" \/><\/figure>\n\n\n\n<p>There you have it, 2FA cockpit enabled.  This is now much more secure just as it should be for linux server access.<\/p>\n\n\n\n<p>Bonus: for those who access their ssh servers over WAN (I don&#8217;t), you can add 2FA access to your ssh connections too.  I have an article <a href=\"https:\/\/www.ogselfhosting.com\/index.php\/2022\/07\/03\/make-ssh-better-with-convenient-2fa\/\">here<\/a> that shows you how to do that &#8220;more conveniently&#8221; than the typical ssh-2FA implementations.<\/p>\n\n\n\n<p>If this article is useful, please share it. <\/p>\n\n\n\n<p>Andrew<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TL;DR &#8211; here&#8217;s a video that explains briefly what cockpit is, and then goes though how it can be installed, and more importantly how 2FA can be enabled to make access more secure than the out-of-the-box default of username\/password. I also go over where to find other plugin applications that can help make Cockpit even [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,25,23],"tags":[],"class_list":["post-265","post","type-post","status-publish","format-standard","hentry","category-2fa","category-cockpit","category-debian12"],"_links":{"self":[{"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/posts\/265","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/comments?post=265"}],"version-history":[{"count":13,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/posts\/265\/revisions"}],"predecessor-version":[{"id":316,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/posts\/265\/revisions\/316"}],"wp:attachment":[{"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/media?parent=265"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/categories?post=265"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ogselfhosting.com\/index.php\/wp-json\/wp\/v2\/tags?post=265"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}